1/ #ThreatHunting:
In a compromised network, we saw the following request in the proxy logs:
www.advanced-ip-scanner[.]com/checkupdate.php?[..]
This scanner is trendy among ransomware groups and has been mentioned in reports by @The DFIR Report, among others. [1]
2/ This HTTP request can now be used very well for an alert.
Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version).
An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.